Post navigation

If you follow the Google Android operating system scene, you will probably have heard about the new, web-based Android Market store which was launched a few days ago.

The Android Market website allows the user to browse, search and install Android apps using an alternative to the standard device Android Market app that comes on smartphones.

The user is simply required to sign in with their standard Google credentials and the application will retrieve the details of Android devices registered in your name as well as the details of all the Market applications you have already installed.

Once the user signs in to Android Market the application install is available at the click of a button.

I wanted to see what happens on the device when a request to install a new app is submitted from the web-based store.

I logged into the Android Market and found an application suitable for testing: a popular game that made me waste some time last year when I first played it on an iPhone. This seemed a good opportunity to test its usability on the Android OS too. 🙂

The most important security aspect of the installation process on Android are the permissions an app requires on a device after the installation. Android users should particularly carefully read the required permissions before they install any applications, from the official Android Market or any other source.

For example, a game which requests unusual permissions such as SEND_SMS or RECEIVE_SMS should be considered highly suspicious and installed only if the user is certain about its functionality.

As expected, the web-based Android Market displays the required permissions so that the user can make an informed decision about whether to install the application.

However, the next step in the installation is where a big red security flag is raised. Once the user clicks on the install button on the website, the mobile device will automatically start downloading the application in the background.

This probably happens using the INSTALL_ASSET intent discovered last year by Jon Oberheide when Google used the Android’s GTalkService mechanism to remotely remove a test Trojan application created by the researcher.

In summary – if someone managed to steal your Google password they could trick your Android smartphone into installing software, without you having to grant permission on the device itself.

The result of all this is that a Google password suddenly becomes even more valuable for potential attackers, and I would not be surprised to see even more Gmail phishing attacks as a consequence.

In future, however, the phishers’ intention may not be to use stolen account credentials for the purposes of sending spam but to install malware on the user’s Android devices instead.

Google should make changes to the remote installation mechanism as soon as possible. As a minimum, a dialog should be displayed on the receiving device so that the user must personally accept the application that is being installed.

Let us hope that the update will come in time to prevent cybercriminals abusing the Android Market for the automatic installation of malicious software.

great article i dont understand why we all continue to sacrifice security for convenience, your solution of a one more step definitely seems more than reasonable. I would think at the very least you would have to opt out of this. Are the android apps scanned? or there is no control on those web apps

When people tell me that I can’t use a dictionary word as a password, I lose faith in humanity. Do you really think ANY place that you’ve protected with a password is going to allow millions of login attempts to your account using different passwords until it guesses the right one? You’re an idiot! This tactic was thwarted over a decade ago. To use the standard dictionary to guess a windows password in this fashion would take more time than the universe has been in existence due to additional time between login attempts that the machine requires.

The last password that was found using a dictionary attack was done eons ago, they may re-create it in a lab, but EVERY programmer knows about it and knows how to prevent it. Social engineering is the way they “hack” your account. And that isn’t a “HACK” its them fooling you into GIVING it to them.

The attack vector is no longer “let’s go after this user and try a dictionary attack until we find the right one” — attackers have moved on to “Google has millions of accounts. Statistically, if we attempt to long into x% of them, using a random sampling from this dictionary, we can attempt x different passwords on each account before the timeouts get so long that we give up on that account for the day. Within a 1 month period, we should have y compromised accounts under our control.”

1. If you plan to post comments on the Naked Security site in future, please learn to be respectful. (You're lucky one of the other Naked crew got to your post first and approved it. I'd have deleted it. I don't care to see anyone – let alone my friend and colleague Vanja Svajcer! – called an idiot on this site.)

2. You are welcome to assume that every on-line property for which you have a password will correctly perform rate-limiting to reduce the effectiveness of a dictionary attack, or will disable your account after a number of failed attempts. But that would be an unwise assumption. (Twitter, for example, didn't begin to rate-limit login attempts until after an administrator's password was cracked using exactly the approach you insist would never work.)https://nakedsecurity.sophos.com/2009/01/14/breaki…

3. You are welcome to seduce yourself into believing that "the last password found by a dictionary attack was done aeons ago", but you'd be wrong. In fact, you can watch a video showing my own lowly MacBook Pro laptop recovering nearly 200,000 passwords from hashes leaked from Gawker Media. That was in December 2010. (If you get the hashes, then you can crack offline, at your own pace. Any timing limitations imposed by the online authentication API become irrelevant.)https://nakedsecurity.sophos.com/2010/12/29/wikile…

(The "Gakwer Media" section is from 0'40" to 1'02"; the dump of cracked hashes is at about 0'53".)

I agree with point 3 there, dictionary attacks are only pointless if you have some sort of controlled login. If you have a coding vulnerability which allows hackers to get access to password hashes, they can try all the dictionary words they want.
If your Gawker media password was long enough or had non-alphanumeric characters, it would not have not have been vulnerable to the 2010 attack at all.

Google could learn from AppBrain, which offers the same kind of service for Android phones but requires the user to start the install on the phone end once the website sends the install request. Until Sophos offers AV for Android phones you can use Lookout which does scan new apps when they are installed.

This is completely a non-issue. You are aware that a software installation has occurred on your device since there is a user notification that an application has been successfully installed. Additionally, if someone has compromised your Google account they can presumably get as much personal info as they want from your Gmail inbox. Please quit the fearmongering.

What wondering? After the software installs, it leaves a notification in the bar. Furthermore, on the site, apps are listed by date of install, so it's absolutely trivial to tell if something was put on your phone.

If someone manages to gain access to your Google account, then installing applications should be the least of your concerns (assuming you use the account for other services) – what about all your data in other services – email, checkout account, etc.

Installing applications automatically is a convenience to most people.

It's worse than that. The analogy needs extending a bit. If you lose the key to your house, burglars might be able to install a listening device in your car, even if your car isn't anywhere near your house at the time.

So I think Vanja's warning is an important one: your Google password doesn't just let you access your email account. It effectively unlocks your phone, too.

Burglars might be able to install a listening device in your car, even if your car isn't anywhere near your house at the time… leaving a note in your car that reads "I just installed a listening device in your car". 😉

Its there, in your face untill you remove it manually. Oh, and you have to turn on the listening device manually for it to function. Meaning you have to start the app before it can do anything to the phone, before that, its just an APK file chilling in your system folder.

…or you turn off your phone (either manually without noticing, on automatic schedule or you run out of battery) and the notification is gone!
Upon restarting, the malware daemon is running happily away in the background…

I'm not sure how this is an issue, since the web install only allows Market apps to be installed on the device. While the Market does not have an iron-clad approval process, anything like that is removed quickly.